CVE-2023-25163

Name of the Vulnerable Software and Affected Versions Argo CD versions 2.6.0-rc1 through 2.6.0

Description The issue is related to an output sanitization bug in Argo CD, which leaks repository access credentials in error messages. These error messages are visible to the user and are logged. The error message is visible when a user attempts to create or update an Application via the Argo CD API. The user must have applications, create or applications, update RBAC access to reach the code that may produce the error.

Recommendations For versions 2.6.0-rc1 through 2.6.0, upgrade to version 2.6.1 to resolve the issue. To mitigate the issue, ensure that your repository credentials have only the least necessary privileges. Enable commit signature verification to prevent malicious commits from being synced. Enforce least privileges in Argo CD RBAC, ensuring users only have repositories, update, applications, update, or applications, create access if they absolutely need it.